Shutdown could delay government's patching of IE, Windows and .NET flaws
Federal desktops, servers are vulnerable to new threats when they are turned back on, analysts say
Computerworld - The ongoing government shutdown could leave desktop and server systems in many federal agencies vulnerable to new threats disclosed Tuesday by Microsoft in its latest round of security updates.
Many federal agencies are operating with skeletal IT staff. All IT systems deemed non-essential have been shut down, making the installation of Microsoft's latest patches, especially on desktop and notebook systems, very difficult for federal agencies, say security analysts.
"The October Windows critical vulnerabilities go across PC and server operating systems," said John Pescatore, director of emerging technologies at the SANS Institute.
"While most of the government security staff was deemed essential, it is likely that many of the employee PCs and laptops were turned off, so it will be hard to patch them," Pescatore noted. So, when the standoff is over and government workers return, a lot of their PCs could be missing critical patches.
Microsoft yesterday issued patches for 26 flaws, including several critical, remotely exploitable, flaws in Windows XP, Windows Server 2003, the Microsoft .Net Framework and multiple versions of the Internet Explorer browser. The patches part of the company's regular monthly security updates.
Security analysts typically recommend that organizations implement Microsoft's security patches as soon as possible to mitigate the risk from hackers.
Over the years, Microsoft and several vendors have released tools that make it much easier for organizations to quickly test and to install required patches with minimal service disruptions.
Theoretically, there should be fewer problems with server updates due to the shutdown -- most agencies have far fewer servers than client systems.
"You would think that without users they could actually patch servers faster," Pescatore said. "However, the reality of these shutdowns is that informal processes get disrupted even if the essential people are still there."
Richard Stiennon, principal at security consulting firm IT-Harvest, predicts that many government systems will have problems once they are turned on after the shutdown. "Best practice would be to isolate these machines until they can be brought up to the most recent patch level," Stiennon noted.
"I suspect that most agencies do not have best practice patch management where they deploy patches quickly anyway," he said.
- Federal IT spending decreasing by billions
- Silicon Valley stays quiet as Washington implodes
- Shutdown could delay government's patching of IE, Windows and .NET flaws
- Shutdown could test IT security at federal agencies
- Government shutdown may disrupt business travel, H-1B visas
- Feds prep for e-gov shutdown
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts